Thursday, May 15, 2014

Exporting a local certificate with private key

If you have a local certificate on the Fortigate and the original certificate request (csr) was generated on the Fortigate then the private key resides on the Fortigate and you need to export this in order to install your signed certificate on another server.
The problem with the Fortigate certificate export feature is that it will only export the signed certificate (which you likely already have stored somewhere). The private key is stored in the configuration backup file however it is encrypted with an unknown password.
Luckily there is a workaround available, you can unset the private key password via CLI then back up your configuration file where you’ll find the private key available for use.

config vpn certificate local

This will give you a list of the local certificates. Next edit the desired certificate and unset the password

edit testcert
unset password

Now when you back up your Fortigate configuration you’ll find the signed certificate as well as the private key.

Look for the following line:

set private-key "-----BEGIN RSA PRIVATE KEY-----

Copy everything between (and including)


into a text file.. This is your private key that can be used with the signed certificate to be imported into another server.

("Borrowed" from